An access control system uses a policy to govern access to a resource. A simple access control system may allow the owner of a resource to grant specific principals or groups access to the resource. For example, if a user named Joe is the owner of a file named foo.txt, then Joe may specify that principals named A, B, and C, or principals who are members of group G, have access to foo.txt. Joe may also be able to grant different types of access separately, such as granting read access to some principals or groups, and read/write access to others.
Some modern access control systems, such as those implemented with the Security Policy Assertion Language (“SecPAL”), implement access control policies as a system of logical rules. In such a system, principals may make assertions, and the sufficiency of these assertions to grant access to the resource is judged against the rules. For example, Joe might make the assertion “Joe says Bob can read foo.txt.” If there is a rule that says “Authority says Joe can say % X can read foo.txt” (% X is a variable), then, under this rule, Joe's assertion is sufficient to prove that Authority says Bob can read foo.txt, so Bob would be granted access under this rule.
Abduction is a logical process of deriving premises to support a given conclusion. In a logic-based access control system, an access request may generate a query that takes the form of a conclusion. The conclusion can be either true or false, depending on whether access is to be granted. For example, in order for Bob to be granted permission to read foo.txt, the query “Authority says Bob can read foo.txt?” is a statement that is to be true if access is to be granted. Given the rule (“Authority says Joe can say % X can read foo.txt”), one can abduce an assumed fact—i.e., “Joe says Bob can read foo.txt”—which, if actually asserted by Joe, would cause the query to be true under the rule and therefore would result in allowance of access. This assertion, if made, would either be a proof of the conclusion represented by the access query, or would be part of such a proof.
An abduction engine may be used to automate the process of abducing the assertions that support an access request. Such an abduction engine generates a set of assumptions that, if true, would cause the access request to succeed. The raw assumptions may be of limited usefulness in helping a person to debug an existing policy or to author a new policy. The assumptions could be provided to a tool that assists in policy analysis.